Encryption is often used to protect data both in storage and in transmission. To enable encryption, an encryption key is needed to be able to convert plaintext data, or unencrypted data, into encrypted data. The encryption key may be any sequence of bits that satisfies the encryption key length requirement. When an entire disk on a computer is to be encrypted, it may be convenient to use a user-generated password as an encryption key to be able to individualize the encryption process. For fast performance, disk encryption typically employs symmetric encryption, which refers to the fact that the same key that is used to encrypt data may also be used to decrypt data. However, because users may often use “dictionary” terms as passwords, there is an inherent risk that a simple user password encryption key could be easily cracked. Accordingly, a mechanism known as password-based encryption, or PBE, can be utilized to develop stronger encryption keys. With PBE, a user's password is not directly used as the encryption key. Instead, the user's password is converted using a key derivation function, such as a hashing algorithm, to create a hashed password. Key derivation functions are typically one-way functions that may not be reversed to arrive at the input (i.e., key derivation functions have no inverse), and often also require a salt as input which allows for the same password to create different keys with different values of salt. The hashed password may then be used as the encryption key to encrypt data. Additionally, a key derivation function allows for different length user passwords to be converted into the required length for an encryption key. However, with this approach, any change to the password would require a full re-encryption of the disk by decrypting using the key derived from the old password and re-encrypting with the key derived from the new password. To this end, the disk may be encrypted with a random disk encryption key generated from a random number generator, and a copy of the random disk encryption key is then encrypted by the key derived from the password, allowing the password to be changed by simply re-encrypting the random disk encryption key.
This approach allows for another convenience for users: a user may use the same password across multiple machines since the key derived from the user's password may be used to secure the disk encryption key on multiple systems. In this scenario, potential drawbacks arise when a user wishes to change passwords. While a password change may be a trivial operation when the user only uses one system, synchronizing a new password over multiple systems can be more involved. Two potential solutions are manually changing the password across each system, which can be inconvenient, or sending the password across the network to other systems, which poses inherent security risks. A common resolution to this problem is to generate an intermediate asymmetric key-pair which sits between the disk encryption key and the key derived from the password, typically called the user key. The key derived from the password is used to encrypt the private part of the random key unique for the user (user key), and the user public key is used to encrypt the disk encryption key. This allows for password synchronization by allowing the user private key encrypted by the key derived from the password to be shared along with the user's public key across the network without the password itself being at risk. There are other schemes that allow the user key to be securely shared across the network.
Even if data is encrypted, the potential risk of an attack on the encrypted data may be present. Encrypted data may be attacked by a method called a brute-force attack. With a brute-force attack, every possible encryption key in a given key space is tried against encrypted data (preferably against a known sector of a data) until a correct key is found. Brute force attacks can be computationally intensive and can be made even more intensive with longer encryption keys. In an effort to reduce computations, attackers may employ what is known as a dictionary attack, especially when the key derivation function is known or has been improperly retrieved from a computer. A dictionary attack exploits users' tendencies to use passwords that are relatively easy to remember, rather than ones that are completely randomized. Thus, as part of a dictionary attack, typical user passwords and various permutations of those passwords are passed through the improperly retrieved key derivation function to derive a table of potential encryption keys. Even if there are a large number of permutations of typical user passwords, the resulting list of derived encryption keys may be much smaller than a list covering the entire encryption key space. The table of derived encryption keys may then be tested on a known sector of data until the correct key is identified.
While either a brute force attack or a dictionary attack may be computationally intensive, recent computing advances have reduced and parallelized processing times. With cloud-based computing, multiple processors—which may be on the order of hundreds or thousands—connected by a network may be harnessed to simultaneously attack encrypted data. If a key derivation function is made public or is stolen from a computer, a list of dictionary passwords may be distributed amongst the processors, and a corresponding table of encryption keys may be pre-computed on the cloud. The pre-computed table of encryption keys may then be used to more quickly attack the target computer. In addition to parallelization through cloud-computing, graphics processors (e.g., a graphics processing unit called a GPU) may be used to handle the computationally intensive derivations of keys. Graphics processors are designed to be extremely effective at performing calculations and may be employed to more efficiently execute key derivation functions. While the inclusion of a different salt to the password derivation function for each user means that a table needs to be computed for each user, parallelization is still a concern.
Typical prior art methods of encrypting and synchronizing data over a network include the above described techniques. The subject matter of the present disclosure is directed to overcoming, or at least reducing the effects of, one or more of the problems set forth above. To address these and other issues, techniques that, in part, reduce the ability to parallelize attacks on encrypted data while permitting password-based information to be transmitted across a network without passing the password itself are described.